Investigation Tab - User Preferences Panel

In the Profile view > Preferences panel > Investigation tab, users can set several preferences that affect the performance and behavior of NetWitness when analyzing data, viewing events, and reconstructing events in NetWitness Investigate. To access this tab, select netwitness_profiledd.png > netwitness_icon-profile.png from the Navigate view or the Legacy Events view. When the Profile view is displayed, select Preferences > Investigation. You can change user preferences at any time when you are working in NetWitness.

Related Topics

Quick Look

This figure is an example of the Investigation tab, and the following table describes the preferences that affect Investigate. There are slight differences between the 11.1 search settings and later versions of the search settings and these are explained in Search for Text Patterns in the Navigate and Legacy Events Views.

ProfInvPref112.png

Feature Description
Threshold This setting controls the count shown for a meta key value in the Navigate view during the load. A higher threshold allows more accurate counts for a value. However, a higher threshold causes longer load times. When the threshold is reached, NetWitness displays the count and the percentage of time used to reach the count in comparison to the time necessary to load all sessions with that value.
For example, (>100000 - 18%) indicates that the threshold was set at 100000 and this load took only 18% of the time it would have taken with no threshold set. The default value is 100000.
Max Values Results This setting controls the maximum number of values to load in the Navigate View when the Max Results option is selected in the Meta Key Menu for an open meta key. The default value is 1000.
Max Session Export This setting controls the maximum number of sessions that can be exported. The default value is 100000.
Max Log View Characters This setting controls the maximum number of characters to be displayed on Investigate > Legacy Events > Log Text. The default value is 1000.
Export Log Format This setting specifies the default format for exporting logs from Investigate. Available options are Text, XML, CSV, and JSON. There is no default value for the log export format. If you do not select a format for logs here, NetWitness displays a selection dialog when you invoke export of logs. When you select one of the options from the Export Log Format drop-down menu and click Apply, the setting goes into effect immediately.
Export Meta Format

This setting specifies the default format for exporting meta values from Investigate. Available options are Text, XML, CSV, and JSON. There is no default value for the meta export format. If you do not select a format for exporting meta values here, NetWitness displays a selection dialog when you invoke export of meta values. When you select one of the options from the Export Meta Format drop-down menu and click Apply, the setting goes into effect immediately.

Note: If you upgrade to version 11.5.2, the Export Meta Format preference is not retained and is reset to blank. You must re-configure this value after you upgrade to version 11.5.2.

Use Per Device Local Cache

Allows you to specify the use of locally cached data from the selected service. By default, this checkbox is cleared (Off), which means that Investigate sends a fresh query to the database rather than displaying cached data in the Investigate views after the initial load. If the option is set, Investigate uses the data from local cache.

Show Debug Information When this option is set, NetWitness displays the where clause beneath the breadcrumb in the Navigate view. For each meta value load, the load time is displayed. If the service is a Broker, the elapsed time for each aggregated service is reported. The default value is Off.
Append Events in Events Panel When this option is set, the events displayed in the Events Panel are added incrementally rather than overwriting the currently displayed events. Each time you click the next page icon, the additional events are appended to the previous events; 1 -25, then 1 -50, then 1 -75 and so on.

Note: This option is available only if the Optimize Investigation Page Loads option is enabled.

Autoload Values When this option is set, the service values are automatically loaded in the Navigate view. When not set, NetWitness displays a Load Values button, allowing the user the opportunity to modify the options. The default value is Off.
Download Completed PCAPs This setting automates the downloading of extracted PCAPs in the Investigate so that you do not have to manually download and open extracted PCAP files in an application, such as Wireshark, that can handle viewing data in a PCAP format.
Live Connect: Highlight Risky Values If you want NetWitness Platform XDR to highlight and display only IP addresses that are considered to be risky by the NetWitness community, set this option. When not enabled, NetWitness Platform displays all IP addresses. By default, this option is cleared (Off).
Optimize Investigation Page Loads This option is enabled by default (checked) and controls how the Legacy Events view retrieves events. When enabled, results are returned as quickly as possible, but you cannot go to a specific page in the event list. Clearing the checkbox changes the Events list pagination to allow you to go to a specific page in the list (or to the last page). Being able to go to any page in the list costs additional overhead to determine the events in advance.
Default Session View This setting selects the default reconstruction type for the initial reconstruction view. By default events are reconstructed using the reconstruction type most appropriate to the event.
Enable CSS Reconstruction for Web View This setting controls how web content reconstruction is performed. If enabled, the web reconstruction includes cascaded style sheet (CSS) styles and images so that its appearance matches the original view in a web browser. This includes scanning and reconstructing related events, and searching for stylesheets and images used in the target event. The option is enabled by default. Clear the checkbox if there are problems viewing specific websites.

Note: The appearance of the reconstructed content may not match the original web page perfectly if related images and stylesheets could not be found or were loaded from the web browser's cache. Also, any layout or styling that is performed dynamically via client side javascript does not render in the reconstruction because all client side javascript is removed for security purposes.

Search Options This setting specifies the default search options to apply to a search in the Navigate and Legacy Events views. Search for Text Patterns in the Navigate and Legacy Events Views provides detailed information.
Apply Saves your preferences and puts them into effect immediately.